Device for reliable signal generation

ABSTRACT

Proposed is a device for reliably generating signals in a motor vehicle, having a control means ( 10 ), which is supplied at least one control signal ( 24, 26, 34, 36 ), the control means ( 10 ) generating a trigger signal ( 25, 27 ) signal as a function of the control signal ( 24, 26, 34, 36 ), in order to trigger at least one switching element ( 16, 18, 52, 53, 54 ) or driver; and having emergency-operating means ( 14, 28, 30, 67, 68, 69 ), which, in an emergency operation, generate the trigger signal ( 25, 27 ) as a function of at least the one control signal ( 24, 26, 34, 36 ); testing means ( 10, 12 ) being provided, which test the operativeness of the emergency-operating means ( 14, 28, 30, 67, 68, 69 ) by selectively triggering them.

FIELD OF THE INVENTION

[0001] The present invention relates to electronic circuits, and relatesin particular to a device for reliably generating signals.

BACKGROUND INFORMATION

[0002] German Published Application No. 100 11 410 describes a devicefor reliably generating signals, where signals critical with regard tosafety can be generated, on one hand, by a microcontroller and, on theother hand, by an emergency-operation circuit path, independently of themicrocontroller, in the case of a fault of the microcontroller. Thisincreases the reliability of generating a safety-related signal.However, selective monitoring for the correct functioning of thecomponents involved is not provided.

SUMMARY OF THE INVENTION

[0003] A device according to the present invention for reliablygenerating signals in a motor vehicle includes, in one embodiment, atleast one control arrangement, which receives at least one controlsignal. The control arrangement generates a trigger signal as a functionof the control signal, in order to trigger a switching element. Anemergency operating arrangement is provided, which, during an emergencyoperation, bypasses the control arrangement and generates the triggersignal as a function of at least the one control signal. A testingarrangement of the present invention checks the operativeness of theemergency operating arrangement by deliberately triggering them. Thedevice of the present invention allows the operativeness of the involvedcomponents of a reliable signal generation system to be checkedconstantly. Defective operating states of the emergency operatingarrangement are reliably detected and may be displayed to the user, inorder, for example, to find a garage and repair the defect.

[0004] In an advantageous further embodiment, the emergency operatingarrangement is activated for a specifiable time span. As a rule, thisshort time span is sufficient for detecting a fault of the emergencyoperating arrangement from incoming check-back signals. A check-backsignal appearing within this time span is compared to the nominal statethat corresponds to the control signal. In the event of deviations, afault is inferred.

[0005] The emergency operating arrangement may be activated by an edgechange. If the emergency operating arrangement is functional, then thedesired function may already be activated at this time by the controlsignal. After the specifiable time span has elapsed, the controlarrangement takes over the further triggering of the switching element.For the user, this means unnoticeable test routines, which are executedwith each occurrence or edge change of a control signal. Even if theemergency operating arrangement is defective, the user does not noticepossible delays in the activation or deactivation of the desiredfunction, since the specifiable time span may be selected to beappropriately short.

[0006] According to a further embodiment, the signals “ignition”,“start”, “low beam”, and “parking light” are provided as examples ofcontrol signals and can be of high safety relevance to operationallyreliable use of a motor vehicle.

BRIEF DESCRIPTION OF THE DRAWINGS

[0007]FIG. 1 is a block diagram of a first exemplary embodiment of thedevice for reliably generating signals according to the presentinvention.

[0008]FIG. 2 shows exemplary signal patterns produced by the device forreliably generating signals according to FIG. 1.

[0009]FIG. 3 is a block diagram of a second exemplary embodiment of thedevice for reliably generating signals according to the presentinvention.

[0010]FIG. 4 shows exemplary signal patterns produced by the device forreliably generating signals according to FIG. 3.

[0011]FIG. 5 is a block diagram of a third exemplary embodiment of thedevice for reliably generating signals according to the presentinvention.

[0012]FIG. 6 shows exemplary signal patterns produced by the device forreliably generating signals according to FIG. 5.

DETAILED DESCRIPTION

[0013] As shown in FIG. 1, a low-beam control signal 24 and aparking-light control signal 26 are supplied to a first microcontroller10. Low-beam control signal 24 reaches a switching element 14 via afirst emergency-operation path 28, and parking-light control signal 26reaches the switching element via a second emergency-operation path 30.In the closed state, switching element 14 transmits low-beam controlsignal 24 and parking-light control signal 26 as low-beam output signal25 and parking-light output signal 27, respectively, to a first driver16 and a second driver 18, respectively, in order to trigger them. Firstmicrocontroller 10 communicates with a second microcontroller 12, whichprovides an emergency-operation activating signal 32 for triggeringswitching element 14. First microcontroller 10 generates a low-beamoutput signal 25 as a function of low-beam control signal 24, thelow-beam output signal being logically combined by diodes 23, in an ORoperation, with the corresponding output signal of switching element 14.In the same manner, first microcontroller 10 may generate aparking-light output signal 27, which is likewise combined with thecorresponding output signal of switching element 14, in an OR operation.Low-beam output signal 25 and parking-light output signal 27 are triggersignals for first driver 16 and second driver 18, respectively, by whichdimmed headlight beam 20 and parking light 22, respectively, aresupplied with electrical energy. Drivers 16, 18 sense the output currentflowing through loads 20, 22, respectively, and signal it back to firstmicrocontroller 10 as check-back signal 17 of first driver 16 andcheck-back signal 19 of second driver 18.

[0014]FIG. 2 shows possible signal patterns, which may occur in theexemplary embodiment according to FIG. 1. At time t₀, parking-lightcontrol signal 26 changes its state from logical zero to logical one.This event triggers emergency-operation activating signal 32, whichassumes the state of logical one between times t₀ and t₁. If there is afault in second emergency operating path 30, then check-back signal 19indicating the state of parking light 22 first changes its logical statefrom zero to one at time t₁. However, if second emergency operating path30 is functional, then parking light 22 is already activated at time t₀,which is recognizable from check-back signal 19 of second driver 18(represented by a dotted line). At time t₂, the user activates thedimmed headlight, which is indicated by a signal change of low-beamcontrol signal 24 from logical zero to logical one. At time t₂, thisevent generates an emergency-operation activating signal 32 of logicalone, which lasts for a predefined time span until time t₃. If firstemergency operating path 28 is working, then check-back signal 17 offirst driver 16 already changes its state from logical zero to logicalone at time t₂, but in the case of a fault, it does not change its stateuntil time t₃. The user deactivates the dimmed headlight at time t₄.Thus, the state of check-back signal 17 of first driver 16 also changesat time t₄. At time t₅, the switching-off of the parking light(parking-light control signal 26 changes from the state of logical oneto logical zero) causes parking light 22 to turn off, which isrecognizable by an edge change of check-back signal 19 of second driver18.

[0015] In the exemplary embodiment according to FIG. 3, the user maycontrol states of an ignition-control signal 34 (terminal 15) and astart-control signal 36 (terminal 50), using an ignition and startingswitch 38. These signals are transmitted to both a steering-columnswitch module 40 and first microcontroller 10. First microcontroller 10exchanges signals with a second microcontroller 12, which in turngenerates a second emergency-operation activating signal 65 as an inputquantity for an OR gate 50. OR gate 50 additionally receives a firstemergency-operation activating signal 64 generated by firstmicrocontroller 10, as a further input quantity. The output signal of ORgate 50 triggers first, second, and third two-way switches 67, 68, and69. No emergency operation is activated in the switch position oftwo-way switches 67 through 69 shown in FIG. 3, so that two-way switches67 through 69 directly transmit the output signals of firstmicrocontroller 10, starting signal 71, starting-relief signal 72, andignition signal 73 to a first, second, and third relay driver 52, 53,54. First relay driver 52 activates or deactivates the control input ofa first relay 56, by which the terminal-50 (starter) may be activated.Second relay driver 53 controls second relay 57, which brings about thestarting relief (disconnection of loads not necessary for the startingoperation) (terminal 75). If the emergency operation path is notactivated, i.e. if third two-way switch 69 is in the state shown, thenignition signal 73 generated by first microcontroller 10 is transmitteddirectly to third relay driver 54, by which a third relay 58 foroperating the ignition may be activated. A starting check-back signal 60records the state of first relay 56, ignition check-back signal 61records the state of third relay 58, and a starting-relief check-backsignal 62 records the state of second relay 57, each of these signalsbeing supplied to first microcontroller 10 as input signals.Ignition-control signal 34 now bypasses first microcontroller 10 and istransmitted to third two-way switch 69. If the emergency operation isactivated, then two-way switch 69 changes its state shown in FIG. 3 andnow causes ignition-control signal 34 to bypass microcontroller 10 andrelays it for the control of third relay driver 54. In turn,starting-control signal 36 bypasses first microcontroller 10 and arrivesat first two-way switch 67, which directly controls first relay driver52 with the aid of starting-control signal 36, in response to theemergency operation being activated by the output signal of OR gate 50.Ignition-control signal 34 and negated starting-control signal 36 arecombined by an AND gate 48 and form a starting-relief signal, which, inthe case of the emergency-operation setting of second two-way switch 68,reaches second relay driver 53 for tripping second relay 57. Firstmicrocontroller 10 exchanges data with a watchdog 46, as well as with abus system 42 via a bus interface 44. There is also a data connectionbetween steering-column switch 40 and bus system 42.

[0016]FIG. 4 shows signal patterns that may possibly occur in theexemplary embodiment according to FIG. 3. At time t₀, the user movesignition and starting switch 38 into the position “ignition on”, whichis indicated by a signal change of ignition-control signal 34 fromlogical zero to logical one. At time t₂, the user would like to startthe vehicle and moves ignition and starting switch 38 into the position“start”, so that starting-control signal 36 changes from the state oflogical zero to the state of logical one. At time t₆, this state changesagain, in that the user lets go of ignition and starting switch 38(terminal 15 stays on). Starting-relief signal 72 generated by firstmicrocontroller 10 results from the AND combination of ignition-controlsignal 34 with inverted starting-control signal 36. Therefore, at timet₀, starting-relief signal 72 changes from the state of logical zero tological one, in order to again assume the state of logical zero at timet₂ (switching-off of the unneeded load circuits for starting relief), upto time t₆. When ignition-control signal 34 is switched off at time t₇,starting-relief signal 72 also changes from the state of logical one tological zero. When a rising edge of ignition-control signal 34 occurs attime t₀, first microcontroller 10 generates first emergency-operationactivating signal 64 until time t₁. At time t₃, first microcontroller 10deactivates first emergency-operation activating signal 64. With theswitching-off of ignition-control signal 34, second emergency-operationactivating signal 65 is set to logical one at time t₇, until time t₈, inorder to also test the performance reliability of activating theemergency-operation path with the aid of second microcontroller 12. Inthe case of proper emergency operation, starting-relief check-backsignal 62 may already assume the state of logical one at time t₀.However, if starting-relief check-back signal 62 only changes its statefrom logical zero to logical one at time t₁, then one may deduce thatthe emergency-operation path is defective. If second microcontroller 12controls the emergency-operation path correctly, then starting-reliefcheck-back signal 62 retains the state of logical one from time t₆ totime t₇. However, if a defect occurs when the emergency-operation pathis activated by second microcontroller 12, then starting-reliefcheck-back signal 62 only changes from the state of logical one tological zero at time t₈. When the emergency-operation path by firstmicrocontroller 10 is functioning, starting check-back signal 60 changesits state from logical zero to logical one at time t₃ at the earliest.In the event of defective emergency-operating path triggering by firstmicrocontroller 10, the positive edge of starting check-back signal 60first occurs at time t₄. At time t₅, starting check-back signal 60changes state from logical one to logical zero. When theemergency-operation control by first microcontroller 10 is functioning,ignition check-back signal 61 assumes the state of logical one at timet₀, but assumes the state of logical one at a time t₁ in the event ofdefective emergency-operation control. If the emergency-operationactivation by second microcontroller 12 functions correctly, thenignition check-back signal 61 already changes its state from logical oneto logical zero at time t₇, but when the emergency-operation path isdefective, then it changes its state from logical one to logical zero attime t₈. The delay between terminal 75/terminal 50 (times t₂, t₃; t₅,t₆) does not have any influence on the testing of theemergency-operation paths. The delay may also be set to zero, usingsoftware.

[0017] As an addition to FIG. 1, the third exemplary embodimentaccording to FIG. 5 provides for an automatic driving-light controlsignal 81 being transmitted to first microcontroller 10, as well asbeing transmitted to switching element 14, in an OR operation, withlow-beam control signal 24. An emergency-operation diode 87 is situatedbetween the outputs of switching element 14. This does not have anyinfluence on the testing of the emergency-operation paths, but causesparking light 22 to be switched on during emergency operation, when thedimmed headlight or the automatic driving-light function is activated.

[0018] The signal pattern according to FIG. 6 is described below. Anautomatic driving-light signal 81 is fed to first microcontroller 10 inthe same manner as a light-sensor signal 82. This outputs an outputsignal 25 for controlling a driver 16 of dimmed headlight 20. During thetesting of the emergency-operation path, first microcontroller 10recognizes that the rotary light switch is on at position AFL, and thatthe light-sensor signal is activated. The emergency-operation path isthen activated by second microcontroller 12, initiated by firstmicrocontroller 10. In the actual emergency operation, i.e. not in thetest case, it is sufficient when the rotary light switch is at the AFLsetting, in order to activate emergency light operation. Firstmicrocontroller 10 exchanges data with second microcontroller 12, whichassumes the control of the two-way switch for activating the emergencyoperation. Emergency-operation activating signal 84 for testing theemergency-operation path is then activated (state of logical one), whenthe signal resulting from logical AND operation of driving-light signal81 and light-sensor signal 82 has a positive edge. The lower headlightbeam is only then switched on. When the emergency-operation path isoperating properly in response to being activated by secondmicrocontroller 12, low-beam, check-back signal 85 likewise supplied tofirst microcontroller 10 for error evaluation would already change fromthe state of logical zero to logical one at time t₀. If the triggeringof the emergency-operation path by second microcontroller 12 is notsuccessful (defective emergency-operation path), then the signal changefirst occurs at time t₁. The emergency-operation path is alsoreactivated at time t₂ till time t₃. When the emergency-operation pathfunctions correctly, the check-back signal of dimmed headlight 85 wouldalready change state at time t₂, but, in the event of defectiveoperation, it would not change state until time t₃.

[0019] In the exemplary embodiment according to FIG. 1, firstmicrocontroller 10 assumes the software-controlled triggering of driver16, 18 as a function of the state of low-beam control signal 24 andparking-light control signal 26. In order to further ensure the controlof drivers 16, 18 in the case of a fault of first microcontroller 10,emergency-operation paths 28, 30 are provided, which bypassmicrocontroller 10 and directly combine control signals 24, 26, ascontrol signals for drivers 16, 18, with the output signals of firstmicrocontroller 10, using OR network 21. However, this direct controlwith the bypassing of microcontroller 10 only occurs when switchingelement 14 is in the closed state. The corresponding triggering ofswitching element 14 is assumed by second microcontroller 12 with theaid of emergency-operation activating signal 32. Second microcontroller12 monitors the operativeness of first microcontroller 10 and, in thecase of a fault, drives switching element 14 in the closing direction,in order to activate emergency-operation paths 28, 30. Therefore, inspite of a fault of first microcontroller 10, proper operation continuesto be possible during normal operation.

[0020] In order to now check the operativeness of emergency-operationpaths 28, 30, first microcontroller 10 initiates the triggering ofdrivers 16, 18 for the time span of t₀ to t₁, via emergency-operationpaths 28, 30 (using second microcontroller 12 and emergency-operationactivating signal 32). However, after time t₁, the control isaccomplished regularly by directly supplying trigger signals 25, 27 withthe aid of first microcontroller 10. In this connection, switchingelement 14 is driven in the direction of opening (deactivation ofemergency-operation paths 28, 30).

[0021] The functioning method of the emergency-operation check test isdescribed in detail, using the signal pattern according to FIG. 2. Attime t₀, the user operates the parking light, so that parking-lightcontrol signal 26 changes from the state of logical zero to logical one.This rising edge triggers the activation of the emergency-operationmonitoring function in first microcontroller 10, which acts as theemergency-operation monitoring arrangement. At time t₀, firstmicrocontroller 10 still does not output a signal corresponding toparking-light control signal 26, but rather activates theemergency-operation function via second microcontroller 12. As a result,second microcontroller 12 generates an emergency-operation activatingsignal 32, by which switching element 14 is closed in such a manner,that parking-light control signal 26 bypasses microcontroller 10 andarrives at the input of second driver 18. Field-effect transistors areused, for example, as drivers 16, 18, the field-effect transistorsadditionally generating signals proportional to the output current, inthe form of check-back signals 17, 19. First microcontroller 10 subjectscheck-back signal 19 to an analog-digital conversion and compares theincoming value to a specifiable threshold value. If this threshold valueis exceeded, then microcontroller 10 concludes that parking light 22 isbeing activated. Microcontroller 10 evaluates check-back signal 19within the time span t₀ to t₁ and compares the signaled state of parkinglight 22 to the nominal state, as is determined by incomingparking-light control signal 26. As of time t₀, parking light 22 shouldbe triggered in the direction of activation. If check-back signal 19signals this state, then microcontroller 10 concludes that secondemergency-operation path 30 is operating properly. However, ifcheck-back signal 19 indicates that parking light 22 is not activated,then the nominal state deviates from the actual state. It is concludedthat second emergency-operation path 30 has a fault. Firstmicrocontroller 10 creates a corresponding entry in the fault-storagemeans. In addition, this fault may be displayed by a data-bus system notshown, in order to point out to a user that he or she should drive tothe next garage. However, second microcontroller 12 generates anemergency-operation activating signal 32 for a specifiable, short timespan, i.e. from time t₀ to time t₁. As of this time t₁ known to firstmicrocontroller 10, it now assumes the control of second driver 18 byoutputting the corresponding state of parking-light control signal 26.However, emergency-operation path 30 is now interrupted again, so thatparking-light control signal 26 no longer controls second driver 18directly by bypassing microcontroller 10. When a rising edge of low-beamcontrol signal 24 occurs at time t₂, the operativeness of firstemergency-operation path 28 is now tested. The procedure is analogous tothat described in connection with the parking-light emergency-operationpath, while check-back signal 17 of first driver 16 is evaluated.

[0022] In the exemplary embodiment according to FIG. 3, both firstmicrocontroller 10 and second microcontroller 12 may take over theactivation of the emergency-operation paths. Therefore, these twoactivation options are also tested. Since ignition-control signal 34 andstarting-control signal 36 are signals that are particularly relevantwith regard to safety, it is also provided that the emergency-operationpaths be tested in the case of input signals of both logical zero andlogical one. In response to the occurrence of a positive-going edge ofignition-control signal 34, first microcontroller 10 directly activatesthe emergency-operation function itself, in that firstemergency-operation activating signal 64 assumes the state of logicalone at time t₀, and therefore, the output signal of OR gate 50correspondingly does so also. Two-way switches 67, 68, 69 are therebytriggered in such a manner, that ignition-control signal 34 andstarting-control signal 36 bypass first microcontroller 10 and traveldirectly to drivers 52, 54. In order to detect a possible faultcondition of the emergency-operation path, starting check-back signal60, ignition check-back signal 61, and starting-relief check-back signal62 are each fed back to first microcontroller 10 via an analog-digitalinput. Ignition check-back signal 61 is now evaluated between times t₀and t₁, with a view to whether this actual signal matches the nominalstate specified by ignition-control signal 34. If this is the case, thenmicrocontroller 10 concludes that the emergency-operation path functionscorrectly with respect to the ignition signal. In the event of adeviation from the nominal state and actual state (in the case of afault of the emergency-operation path), first microcontroller 10 createsan entry in the fault-storage means. In addition, an error message istransmitted via interface 44 to bus system 42, in order to thus bedisplayed. Now, in order to also test for the correct functioning of theemergency-operation path during the control by second microcontroller12, first microcontroller 10 reactivates the emergency-operationfunction from time t₇ to time t₈, using second microcontroller 12, inresponse to a decreasing edge of ignition-control signal 34. If ignitionrelay 58 is activated in spite of the control being deactivated, thenmicrocontroller 10 concludes that a fault is present in theemergency-operation path. In this case, the emergency-operatingarrangement is switched by second microcontroller 12.

[0023] Starting-control signal 36 has a rising edge at time t₂. Terminal75/terminal 50 signals 62, 60 are delayed between times t₂ and t₃. Theterminal 50/75 and terminal 75/50 delays have no influence on thetesting of the emergency-operation paths. These delays are merely usedto generate a very short (e.g. 10 ms) delay time between terminal 50 andterminal 75. This delay time ensures that terminal 50 is only switchedon when terminal 75 has already switched off. This time may also be setto zero, using software. The emergency-operation paths are not testedduring this time. The tests of the emergency-operation paths at logicalzero are accomplished concurrently: e.g., between t₀ and t₁, terminal 15is tested at logical one, terminal 50 is tested at logical zero, andterminal 75 is tested at logical one. At time t₃, first microcontroller10 now activates the emergency-operation function, in order to transmitstarting-control signal 36 directly to first relay driver 52, whilebypassing first microcontroller 10. If the actual state portrayed bystarting check-back signal 60 matches the nominal signal provided bystarting-control signal 36, then first microcontroller 10 recognizesthat the emergency-operation path is operating properly. In the event ofdeviations, a fault is inferred.

[0024] The emergency-operation path for the starting relief is alsotested, using an analogous procedure.

[0025] A corresponding evaluation is also to be applied analogously tothe signal pattern according to FIG. 6. The emergency-operation paths offurther, safety-related functions may also be tested in the describedmanner.

[0026] The described device is particularly suitable for use in a motorvehicle.

What is claimed is:
 1. A device for reliably generating signals in amotor vehicle, having at least one control means (10), which is suppliedat least one control signal (24, 26, 34, 36), the control means (10)generating at least one trigger signal (25, 27) a function of thecontrol signal (24, 26, 34, 36), in order to trigger at least oneswitching element (16, 18, 52, 53, 54) or driver; and havingemergency-operating means (14, 28, 30, 67, 68, 69), which, in anemergency operation, generate the trigger signal (25, 27) as a functionof at least the control signal (24, 26, 34, 36), preferably in place ofthe control means (10), wherein testing means (10, 12) are provided,which test the operativeness of the emergency-operating means (14, 28,30, 67, 68, 69) by selectively triggering them.
 2. The device as recitedin claim 1, wherein testing means (10) bring about the triggering of theemergency-operating means (14, 28, 30, 67, 68, 69) for a specifiabletime span.
 3. The device as recited in one of the preceding claims,wherein a fault of the emergency-operating means (14, 28, 30, 67, 68,69) is detected, using at least one check-back signal (17, 19, 60, 61,62).
 4. The device as recited in one of the preceding claims, whereinthe emergency-operating means (14, 28, 30, 67, 68, 69) are activated ordeactivated in response to an edge change of the control signal (24, 26,34, 36).
 5. The device as recited in one of the preceding claims,wherein the emergency-operating means (14, 28, 30, 67, 68, 69) are firstactivated or deactivated for a specifiable time span, after a definedtime span as of the edge change of the control signal (24, 26, 34, 36).6. The device as recited in one of the preceding claims, wherein afurther control means (12) is provided, which activates or deactivatesthe emergency-operating means (14, 28, 30, 67, 68, 69) as a function ofthe first control means (10).
 7. The device as recited in one of thepreceding claims, wherein, in the case of emergency operation, theemergency-operating means (14, 28, 30, 67, 68, 69) cause the controlsignal (24, 26, 34, 36) to bypass the control means (10), and transmitit as a trigger signal (25, 27).
 8. The device as recited in one of thepreceding claims, wherein the emergency-operating means (14, 28, 30, 67,68, 69) include at least one two-way switch (14, 67, 68, 69) forrelaying either the output signal of the control means (10) or thecontrol signal (24, 26, 34, 36).
 9. The device as recited in one of thepreceding claims, wherein a measure of the current controlled by theswitching element (16, 18, 56, 57, 58) is used as a check-back signal(17, 19, 60, 61, 62).
 10. The device as recited in one of the precedingclaims, wherein, in order to detect faults of the emergency-operatingmeans (14, 28, 30, 67, 68, 69), the nominal state specified by thecontrol signal (24, 26, 34, 36) is compared by the testing means (10,12) to the actual state derived with the aid of the check-back signal(17, 19, 60, 61, 62).